As a privacy lawyer, I thank you for the recommendation to use lawyers. :-) But from a consumer's perspective, I wish we could point them to a few easy ways they can verify authenticity. -----Original Message----- From: Dr. Jeffrey Race [mailto:jrace@xxxxxxxxxxxxx] Sent: Sunday, December 21, 2003 10:30 AM To: Jeffrey Race Cc: ietf@xxxxxxxx; parry@xxxxxxxxx Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?] You must base your business plan on the fact that your problem has no solution, technical or otherwise. Any technical means to restrict access or identify a host can be defeated by a determined hacker, and you can be 100% sure that your hackers are more motivated than your employees. Even were technical solutions to exist (which they don't), you still face the implications of Sturgeon's Law [<http://www.faqs.org/docs/jargon/S/Sturgeon's-Law.html>] that ninety percent of everything is crap, including human mentality (in my opinion a low estimate). Social engineering possibilities are endless in this environment. As a business you must take defensive measures against technical failures and human gullibility. Probably start with good lawyers and good contracts, placing all responsibility on the customers. My (very excellent) little bank in Cambridge Massachusetts has just written my wife that the checking account database was stolen by a bank employee so she should inform the credit reporting agencies of likely identity theft. You see the problem . . . . Having some technical knowledge of how secure these systems are, I have chosen never to use either electronic banking or an ATM card. The losses from the regularly recurrent frauds against my few credit cards are entirely borne by the sloppy merchants who tolerate fraudulent usage. Jeffrey Race >> -----Forwarded Message----- >> From: Parry Aftab <parry@xxxxxxxxx> >> To: isdf@xxxxxxxx >> Subject: [isdf] need help from the ietf list...can someone post this for >> me? or allow me to post directly? >> Date: 20 Dec 2003 16:50:33 -0500 >> >> >> >> We have been experiencing a huge growth in phishing (e-mails designed to >> trick people into providing sensitive information (creditcard, account >> passwords, etc.) to a spoofed website masquerading as a trusted >> financial institutional site. >> >> For example, you receive an e-mail telling you that there has been a >> security breach at PayPal, and you need to log into the site and correct >> your info, by using the bogus link they provide. >> >> Every time we announce a way to confirm that the site is what it claims >> to be (checking the certificate, history bar, etc.) the phishers find a >> tech solution to improve their frauds. >> >> Now IE has a bug that allows them to mask the real site more easily, by >> showing the spoofed site in the navigation bar. >> >> >> >> Do any of the IETF members have suggestions for easy ways of confirming >> that the site you just linked to is really the site you wanted to >> access? >> >> I am asking in my capacity of the world¢s largest online safety and help >> group, WiredSafety.org.>> >> >> Parry Aftab